Software protection against piracy has been a big trouble for developers for a long time. For software on an open platform, the piracy problem is even more serious.
The architecture of a software system based on network (e.g. the Internet or Local Area Network) mainly includes C/S architecture (Client/Server architecture) and B/S architecture (Browser/Server architecture). The B/S architecture is derived from the C/S architecture. Virtually, the browser is a client program, which converts an HTML script to a visual interface. The tasks can be allotted properly to the client side (or the browser side) and the server side on demand by making full use of resources on the two sides using the C/S and B/S architecture, thereby the communication overhead of the system is reduced. At present, most application software is of two hierarchy architecture in the form of C/S or B/S.
In the case of the software systems of the C/S or B/S architecture mentioned above, for installers of applications to be deployed on the client (or browser) side, there is no effective protection means or mechanisms to prevent the copyright from being infringed. The installers can be copied and distributed freely. The developers cannot receive the payment they deserve. Also, the security of the applications and data at the server side may be compromised.
A method for protecting software using fingerprint and application apparatus thereof are disclosed in Chinese patent 200310111755.0, wherein the user of software is authenticated via fingerprint verification, and the key code and data of software are protected with a cryptographic SDK module installed on an authentication server.
In addition, a method for protecting software is disclosed in Chinese patent 0211355.0, as well as in 200510109229.X. With the method, the code in compiled program file is divided into two parts, the first part is executed on a cryptographic apparatus, and the second part is executed on a computer.
Presently, a key device is widely used to protect software products. The key device is a small-scale hardware device with a processor and a storage unit. The key device can connect to a computer via its data communications port to control the operation of software and impose restrictions on software features. A private key can be stored within the device, and an encryption algorithm can be preset, later on, a part of algorithm can be customized. When a key device is used in a software product for protection, the device and the product are bound together and the product cannot run properly without the device. The key device provides high security for software by enabling stored private keys invisible to the external, key related operations performed within its range, and physical mechanisms for anti-attack.
For a legacy authentication mechanism on network, the username and password are transferred as plain text over network, which is easy to be intercepted. This problem can be overcome by the asymmetrical key system and the challenge/response mechanism. The asymmetrical key system is a widespread authentication system, in which the encryption key is different from the decryption key. Digital signature of PKI (Public Key Infrastructure) ensures both the confidentiality and non-repudiation of information, by first signing the plain text with a private key from the authenticated party to generate a digital signature, and then sending the digital signature to an authenticator who will decrypt it with the public key from the authenticated party, and finally comparing the decrypted digital signature with the original text for authentication.
HMAC-Hash is a regular challenge/response authentication means and enhances the Hash algorithm. The Hash algorithm is a unidirectional encryption algorithm without involving a key. It can be used for encrypting data of any size and producing cipher text data of fixed size. HMAC (keyed-Hashing Message Authentication Code) combines a key with the Hash operation, with a random number involved in each operation, to produce different resulting data for each authentication. Therefore, even if authentication data is intercepted, it cannot be used for the next authentication. Also, the key is not transmitted over the network. As a result, a higher security authentication means is provided, which completely avoids disclosure of a key.